Lab 10: Building a Packet Analyzer for IP Traffic

Goals

Learn to parse the information in packet traces: In this lab you will continue the work started last week. You previously mined a packet trace only for Ethernet frame headers with Layer 2 information. This time you will learn to analyze further information such as IP, TCP, and UDP from the trace data.

Become familiar with the protocol headers and data units from several protocols: Starting from a skeleton that can parse the information in an IP packet, you can build a program that understands the headers of protocols like UDP and TCP. In the process of constructing this application, you will learn the header format of these protocols and gain understanding of how the protocols accomplish their goals.

Learn to read protocol specification documents (RFCs): These documents contain the most authoritative information one can find on Internet standards and Internet protocols. You should spend some time in this lab period researching a few RFCs and getting familiar with the style and the content of the documents associated with protocols you already understand well.

Credits

The material for this lab was created by Professor L. Felipe Perrone based on previous work by Professor Xiannong Meng (Bucknell University) and Professor Ralph Droms (now Cisco). Permission to reuse this material in parts or in its entirety is granted provided that the credits note is not removed. Additional students files associated with this lab, as well as any existing solutions, can be provided upon request by e-mail to perrone[at]bucknell[dot]edu.

If the Type field has the value of 0x0800, then the payload of the Ethernet frame contains an IP packet, whose header looks as follows.

Figure: IP Packet Format

In your last lab, you printed the source and destination IP addresses. In this lab, you will extract further information from an IP packet. Specifically, you are to extract various pieces of information from TCP and UDP packets.

Within an IP packet, the protocol field specifies the type of the current IP packet. If the value is 6, the transport layer protocol is TCP; if the value is 17, the transport layer protocol is UDP. There are other types of transport protocols, we are primarily interested in TCP and UDP in this lab. Given this layered structure, you are asked to extract transport layer information from the trace data once an IP packet is encountered. The general strategy is to read the trace data as you did in your last lab; analyze each Ethernet frame; extract IP and transport layer protocol information; if the transport layer is either UDP or TCP, further dissect the packet to print the detailed information about these two protocols in the packet. The packet formats for UDP and TCP are listed as follows.

Figure: TCP Packet Format

Figure: UDP Packet Format

While the above figures should help you understand the structure of the packets, the actual header files and the names of the fields are needed for programming. These files can be found on the Linux system at the following locations.

Your work

You are given a program skeleton that outline the tasks for you. Part of the program has been completed. Your task is to finish the remaining part of the program so that the program is able to parse out the TCP and UDP packets in the trace file.

First copy all the files from the course directory to your local Git repository.

cp -r ~cs363/Spring16/student/labs/lab10 .

You should receive a set of files. The use of these files will become clear as you go through the lab. One file we might not use directly is the file named manu, which is the mapping between the Ethernet MAC addresses and the name of the manufacturers that make these Ethernet cards. This file gives you some sense who are making these cards.

Glance over the files etherTrace.c, etherTrace.h, and prot_strings.c to see what these programs do. You should concentrate on etherTrace.c once you have a basic understanding of what etherTrace.c and prot_strings.c do. Make sure you know what each function does in etherTrace.c. The files trace-dec21-2005.out and trace-nov29-2015.out are the two sample output files of a completed program. Your result should be similar to that file, though you may change the presentation format if you want to. your tasks include the following.

Complete the while loop in the main() function. Basically you need to align the pointer (address) with the data buffer for TCP and UDP packet.

Complete the function parse_ip_header(), which you have done in last lab.

Complete the function parse_rec_header(), which you have done in last lab.

Complete the function parse_udp_header() (new in this lab)

Complete the function parse_tcp_header() (new in this lab)

Compile and run your program using the data files. The result should be similar to the output files given.

Save a copy of your output by redirecting the screen output to a text file when using the given trace-dec21-2015.dat./etherTrace trace-dec21-2005.dat > lab10-out1.txt

Save a copy of your output by redirecting the screen output to a text file when using your own captured file./etherTrace your-own-trace-file > lab10-out2.txt

When your program works fine, you can try your program using many other trace files generated by the textbook authors, or the trace file you generated yourself. A local copy of these trace files are at

~cs363/traces/

Try, for example,

./etherTrace ~cs363/traces/http-ethereal-trace-1

When all completed, run make clean to remove unnecessary files. Then submit and commit the entire lab10 directory to your Gitlab repository by the deadline.